Auditing File Changes

Darren Cole dcole at keysoftsys.com
Mon Jul 10 23:37:14 UTC 2006 

> The original idea was to prevent the user from opening the file in any
> text or hex editor and changing the file or the file's allowed  
> operations,
> which would be stored in the file itself. However, if we can  
> capture the
> open call we may not need the the encryption afterall. All of this  
> is just
> a proof of concept. It will need to be refined much more before we  
> do the
> actual implementation, which is why I'm here to get these comments and
> ideas from the community. :) We do not want to reinvent the wheel  
> but the
> permissions need to go beyond the basic read-write-exec since  
> engineers
> will need to modify the source code files but we may not want them  
> to copy
> them to a usb drive or email them, and we want the permissions to  
> be in
> place across platforms.

selinux can do this using policy (MLS policy specifically) and of  
course auditting.  The idea is that you can label a file to be  
Secret.  To access this file the user must be at Secret.  When at  
Secret they can only write at Secret, so even if they change  
permissions or copy the data, it will still be at Secret and only  
users allowed Secret access can see these files.  You can then define  
at what level a usb device is mounted, or what level the email system  
runs at, so that Secret data cannot be written to the device or sent  
through email.  This is greatly simplified explanation of MLS and  
more detail is probably outside the scope of the audit list.  You  
might try looking at the lssp-redhat list <http://www.redhat.com/ 
mailman/listinfo/redhat-lspp>, or Fedora MLS wiki <http:// 
www.fedoraproject.org/wiki/SELinux/FedoraMLSHowto>.

The above is of course specific to MLS systems (selinux, Trusted  
Solaris, HP-UX 10.26 and several others), so it isn't really cross  
platform in they way you probably want.  Still it might give you a  
place to start so you don't reinvent the wheel.

>>
>> You'd have to modify OpenOffice to decrypt and re-encrypt documents,
>> right?
>
> The idea was that we would capture the writes and the data and then
> encrypt it ourselves so OO would not need to care.

In an MLS system OO should not care either.

>
> Evan

More information about the Linux-audit mailing list